AMENDMENTS TO THE CLAIMS: 



This listing of the claims will replace all prior versions, and listings, of the claims in this 
application: 

Listing of Claims: 

1 . (Currently Amended) A network comprising: 

an intemal secured portion comprising a first virtual private network certificate authority 
and a second virtual private network certificate authoritv : 
an external portion; 

at least one mobile node in the extemal portion; 

at least a first gateway associated with the first virtual private network certificate 
authoritv : and 

at least a second gateway associated with the second virtual private network certificate 
authoritv . where the intemal secured portion connects via the first gateway and the second 
gateway to the extemal portion, and 

the network is configured to change a gateway, which the mobile node uses to 
communicate with the intemal secured portion, from the first gateway to the second gateway via 
the first and the second virtual private network certificate authorities in response to movement of 
the mobile node and in response to a receipt fi-om the mobile node of a new care-of-address that 
is different fi-om a first care-of-address. 

2. (Previously Presented) A network as claimed in claim 1, fiirther configured to transfer context 
information usable by the at least first gateway in communications with the mobile node, to the 
second gateway. 

3. (Previously Presented) A network as claimed in claim 2, wherein the context information 
includes an identifier of the mobile node. 

4. (Previously Presented) A network as claimed in claim 3 wherein the identifier is a home 
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address of the mobile node. 



5. (Previously Presented) A network as claimed in claim 2, wherein the context information 
includes material for defining secure communication means by which information is transferable 
securely between the mobile node in the external portion of the network and the internal secured 
portion of the network, via the second gateway. 

6. (Previously Presented) A network as claimed in claim 5, wherein the secure commimication 
means is a security association pair between the second gateway and the mobile node. 

7. (Previously Presented) A network as claimed in claim 2, wherein the context information is 
transferred from a location that is physically separate from the first gateway. 

8. (Previously Presented) A network as claimed in claim 2, fiirther configured to transfer 
information to the mobile node for enabling communications between the mobile node and the 
second gateway. 

9. (Previously Presented) A network as claimed in claim 8 wherein the information transferred to 
the mobile node enables secure communication means by which information is transferable 
securely between the mobile node in the external portion of the network and the internal secured 
portion of the network, via the second gateway. 

10. (Previously Presented) A network as claimed in claim 9, wherein the secure communication 
means is a security association pair between the mobile node and the second gateway. 

11. (Previously Presented) A network as claimed in claim 8, wherein the information transferred 
to the mobile node comprises an address of the second gateway. 

12. (Previously Presented) A network as claimed in claim 8, wherein the information transferred 
to the mobile node is transferred between the first gateway and the mobile workstation using an 
existing security association between the mobile node and the first gateway. 
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13. (Previously Presented) A network as claimed in claim 1 wherein the second gateway 
comprises one or more databases which are updated to enable the intemal secured portion of the 
network and the mobile node in the external portion of the network to communicate via the 

second gateway. 

14. (Previously Presented) A network as claimed in claim 13, wherein the one or more databases 
are a security policy database and a security association database. 

15. (Previously Presented) A network as claimed in claim 1 wherein the mobile node comprises 
one or more databases which are updated to enable the intemal secured portion of the network 
and the mobile node in the extemal portion of the network to communicate via the second 
gateway. 

16. (Previously Presented) A network as claimed in claim 15, wherein the one or more databases 
are a security policy database and a security association database. 

17. (Previously Presented) A network as claimed in claim 1 further configured to detect a present 
location of the mobile node and change the gateway through which the mobile node 
communicates with the intemal secured portion of the network, from the first gateway to a better 
gateway. 

18. (Previously Presented) A network as claimed in claim 17, wherein the better gateway is better 
because it is either closer to the mobile node or it is optimal for routing existing sessions. 

19. (Cancelled) 

20. (Cancelled) 

21. (Cancelled) 
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22. (Previously Presented) A network as claimed in claim 17, further configured to detect a 
present location via a location detection means that is separate from the first gateway. 

23. (Previously Presented) A network as claimed in claim 22, further configured to transfer 
information via transfer means physically separate from the first gateway and wherein the 
transfer means and the location detection means are housed together. 

24. (Previously Presented) A network as claimed in claim 1 wherein the first gateway and the 
second gateway are in distinct physically separated segments of the network. 

25. (Previously Presented) A network as claimed in claim 1, wherein the mobile node 
communicates with the internal secured portion of the network via the first gateway and also via 
the second gateway simultaneously for a transition period, before communicating via the second 
gateway only. 

26. (Previously Presented) A network as claimed in claim 1 wherein the mobile node is involved 
in a session with a correspondent node. 

27. (Previously Presented) A network as claimed in claim 26, wherein the correspondent node is 
located in the internal secured portion of the network and the mobile node is located in the 
external portion of the network. 

28. (Currently Amended) A method comprising: 

determining when a first serving gateway associated with a first virtual private network 
certificate authority, through which a mobile node communicates from an extemal portion of a 
network with an internal secured portion of the network, is sub-optimal; 

identifying a second gateway associated with a second virtual private network certificate 
authority : and 

in response to the mobile node moving and sending a new care-of-address that is different 
from a first care-of-address to the first serving gateway, transferring the gateway through which 
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the mobile node communicates with the internal portion of the network from the first serving 
gateway to the second gateway via the first and second virtual private network certificate 
authorities , wh e rein th e internal s e cured portion comprifion a privnt e virtunl nntwnrlf n fl rtifinnt fl 
authority , 

29. (Currently Amended) A mobile node comprising: 

means for receiving, via a first secure communication means, an identifier of a second 
gateway; and 

means for changing from communicating with an internal secured portion of the network 
through the first gateway to communicating via the second gateway, in response to moving and 
sending a new care-of-address that is different from a first care-of-address to the first gateway^ 
wh e r e in th e int e mal s e cur e d portion compriGcs a private virtual netw^ork certificate authority^ 
wherein the mobile node enters a security association for the second gatewav into its securitv 
association database . 

30. (Previously Presented) The network as clauned in claim 23, further comprising means for 
using a first secure communication means by which information is transferable securely between 
the intemal secured portion of the network and the mobile node via the first gateway, to receive 
an identifier of the second gateway. 

31. (Previously Presented) The network as claimed in claim 23, further comprising means for 
using a second secure communication means to transfer information securely between the 
intemal secured portion of the network and the mobile node via the second gateway. 

32. (Currently Amended) A method comprising: 

moving bv a mobile node in an extemal portion of a network, where the network 
comprises an mtemal secured portion, the extemal portion, at least a first gateway, and at least a 
second gateway; 

obtaining a location identifier, where the location identifier comprises a new care-of- 
address different from a first care-of-address; 

sending the new care-of-address to the first gateway; and 
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in response to receiving an acknowledgement from the second gateway, commimicating 
via the second gateway, wher e in th e internal s e cur e d portion comprisos a privat e virtual n e twork 
c e rtificat e authorit y wherein the mobile node enters a securitv association for the second gateway 
into its security association database . 

33. (Currently Amended) A method comprising: 

receiving a new care-of-address that is different from a first care-of-address from by a 
mobile node that has moved in a network; and 

updating a location database in order to change an identification of the first gateway to an 
identification of a second gateway that the mobile node uses to communicate from an external 
portion of the network to an intemal secured portion of the network, wherein the first gateway is 
associated with a first int e mal s e cur e d portion compris e s a privat e virtual private network 
certificate authority in the intemal secured portion and the second gateway is associated with a 
second virtual private network certificate authority and context information for the mobile node 
is transferred from the first virtual private network certificate authority to the second virtual 
private network certificate authority . 

34. (Currently Amended) An apparatus comprising: 

means for receiving a new care-of-address that is different from a fu^st care-of-address by 
a mobile node that has moved in a network; and 

means for updating a location database in order to change an identification of the first 
gateway to an identification of a second gateway that the mobile node uses to communicate from 
an external portion of the network to an intemal secured portion of the network, wherein the 
intemal secured portion comprises a private virtual notwork certificate authority the first gateway 
is associated with a first virtual private network certificate authority in the intemal secured 
portion and the second gateway is associated with a second virtual private network certificate 
authority i n the intemal secured portion, wherein context information for the mobile node is 
transferred from the first virtual private network certificate authority to the second virtual private 
network certificate authority , 

35. (Previously Presented) A network as claimed in claim 1 wherein the network is a virtual 
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private network. 

36. (Currently Amended) A virtual private network certificate authority, comprising: 

means for forming first and second security associations between and with a mobile node 

and the virtual private network certificate authority wife a mobile nod e: 
means for updating a location database; and 

means for forming first and second security associations between and with a gatewav 
node and the virtual private network certificate authoritv with a gat e way nod e, wherein the first 
and second security associations between and with the mobile node and the virtual private 
network certificate authority and between and with the gateway node and the virtual private 
network certificate authority are encapsulating security pavload security associations . 
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